LUKSbox v0.2.2
/ Documentation / CLI reference / luksbox open

luksbox open

Unlock a vault and run a follow-up command (or just verify it opens).

luksbox open [OPTIONS] <PATH>

Unlocks the vault, verifies the header HMAC, and exits. Useful for testing whether a passphrase / device works before doing anything that modifies the vault.

For mounting as a drive, use luksbox mount instead.

Examples

# Passphrase unlock - prompts for the passphrase
luksbox open my.lbx

# FIDO2 unlock - touches the device
luksbox open my.lbx --fido2

# Detached header
luksbox open my.lbx --header /media/usb/my.hdr

# Hybrid-PQ
luksbox open my.lbx --pq-hybrid /media/usb/my.kyber

# Pin to a specific FIDO2 device
luksbox open my.lbx --fido2 --fido2-device /dev/hidraw3

Successful unlock prints vault opened. Failure prints the specific error (UnlockFailed, Fido2CredNotFound, HeaderAuthFailed, etc.) and exits non-zero.

Use in scripts

if LUKSBOX_PASSPHRASE="$(cat ~/.config/my-vault-pp)" luksbox open my.lbx; then
    echo "vault healthy"
else
    echo "vault BROKEN or wrong passphrase"
fi
<- Previousluksbox mount